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Protection of 
security critical data in networks 



Description 



Technical Field 



This invention concerns the protection of security critical 
data in networks according to one of claims 1 to 34 . 



Background of the Invention 



In modern networks frequently the problem exists that specific 
data - like authorization data or client accounts - is on one 
hand required for the operation of the network and on the 
other hand highly security critical. Such data should only be 
accessible and/or manipulated by defined users. The problem 
exists equally for purely private networks, like company own 
intranets, as well as and especially for public networks, like 
the Internet. In addition, many companies are currently pres- 
ent in the Internet and have to fear break- ins from public 
networks due to weak protections of their internal networks. 
The potential economical losses originating form hacked data 
can even cause bankruptcy of a compromised company. 
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all transactions one of the communication partners closes the 
connection whereupon the other partner closes the connection 
endpoint on his side. 

A typical example of such networks is the Internet or Internet 
like intranets, which are build of several programmable and 
physically linked computers, each executing an operating sys- 
tem, the network and the application programs. Homogenous sys- 
tems contain identical or different computers controlled by 
the same operating system. Heterogeneous systems contain simi- 
lar or different computers controlled by the same or different 
operating systems. The networking programs typically follow 
the ISO/OSI-model, use the UDP/IP- or TCP/IP-stacks and serve 
for the information exchange between different software compo- 
nents running on the same or different machines. 

The mentioned description of prior art client /server sys'-^ms 
in general is explained in the following paragraph taking the 
TCP/IP-protocol as well known example. The TCP/IP-protocol is 
per definition a connection oriented protocol based on the 
ISO/ OSI -model between two uniquely identified communication 
partners, which permits on the one hand to build up a logical 
point-to-point connection between one unique client and one 
unique server, and on the other hand guarantees the reliable 
physical and logical message transmission between server and 
client, such that the transmitted bytes are received in the 
same order as chey were sent, independent of the number of 
physical data packets a message needed to be split during 
physical transport and independent of the physical path each 
individual data packet was transmitted over the physical net- 
work . 

A connection endpoint of a TCP/IP-server process is uniquely 
identified by the IP-address of the machine executing the 
TCP/IP-server process and its port-address. The port-address 
can be interpreted as a logical address, locally unique on the 
machine executing the server process. Thus, network wide 
unique TCP/IP-server addresses comprise the physical IP- 
address as well as the port address. The vector (IP-address, 
port -address) is bound to the TCP/IP-server machine and not 
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logical (i.e. not independent of the physical unit), because 
it contains the IP-address of the TCP/IP-server machine. 

Typical systems working according to the described cli- 
ent/server principle are the operating systems Unix, Windows 
NT, OS/2 or Netware as well as the middleware DCE, TUXEDO or 
CORBA . 

Prior art networks have the following security problems: 

1. Each open connection endpoint of a server running on a unit 
connected to the network is a potential target for an ill- 
minded attacker. If a unit provides multiple open connection 
endpoints of one or more servers, each individual connection 
endpoint is a potential target. 

2 . The security of the complete system is given by the security 
of the weakest server and decreases with increasing number 
of servers . 

3. Prior art Internet - like networks provide their system func- 
tionality via server processes. In practice, individual 
units execute a huge number of servers with an equally huge 
number of open connection endpoints. 

4. A well defined coherent security standard for a complete 
system can only be guaranteed, if each individual server is 
implemented according to the same security standard. 

In practice a system wide coherent security standard can be 
achieved only at extremely high costs, since 

1. each individual server has to implement the required secu- 
rity mechanisms, 

2. the security mechanisms of each individual server have to be 
tested and verified, 

3. during operation the access to each individual server has to 
be continuously monitored, and 

4. during operanion each client transaction with a server has 
to be monitored and authorized. 

If one or more servers are provided by independent software 
companies, additional problems arise especially with respect 
to nondisclosure of the (internal) security standards, the 
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availability of the server source code (for modifications 
and/or verification) and/or the liability in case of losses. 

Object of this Invention 

The object of this invention is to provide security critical 
data in networks such that an unauthorized access is techni- 
cally impossible. 

Summary of this Invention 

Existing network systems based upon the client/server princi- 
ple require on the server side the provision of open connec- 
tion endpoints. The large number of server processes implies a 
large number of open connection endpoints. Each open connec- 
tion endpoint is also a potential target for an ill-minded at- 
tacker. The present invention minimizes the risk of a break-in 
into a network with securxuy critical data. 

This problem is solved by minimizing the number of open con- 
nection endpoints, the temporary opening of selected connec- 
tion endpoints and the random choice of the local identifica- 
tions of the opened connection endpoints. Additionally, secu- 
rity critical data is isolated onto machines, which after 
build-up of predefined standing connections do not provide any 
open connection endpoints or establish further connections. 
This prohibits the build-up of uncontrolled connections to 
units scoring security critical data and still offers the con- 
trolled access of the security critical data within the net- 
work. Security critical services are able to provide different 
protocols for different connections and allow the remote ad- 
ministration of the security critical data without granting 
normal clients access to administrative protocols or func- 
tions. Individual protocols or individual functions of indi- 
vidual protocols can be activated, deactivated, dynamically 
loaded or released into or out of the addressable memory of a 
security critical service during normal operation. 

Brief Description of the Figures 

Further objects, features and advantages of the present inven- 
tion will become apparent from the following detailed descrip- 




tion taken in conjunction with the accompanying figure showing 
a preferred embodiment of the invention, in which: 

Figure 1: illustrates a network system according to claim 1 
with one central unit ZE running central process Z, a unit SE 
storing security critical data SD and running security criti- 
cal service S and multiple peripheral processes P12, P21 & P22 
on peripheral units PEll, PE21 & PE22. 

Figure 2a: illustrates a network system according to claim 3. 
In addition to the system shown in figure 1 the network is di- 
vided into two independent segments Nl and N2 where no mes- 
sages are routed between Nl and N2 . The central uni.t ZE is 
connected via two independent network interfaces IPl and IP2 
to both segments. Peripheral processes Pll, P21 & P22 cannot 
directly access unit SE or service S, but are still able to 
access security critical data under control of Z and' S . 

Figure 2b: illustrates a network system according to claim 5 
divided into cwo independent segments Nl and N2 . No messages 
are routed betv/een Nl and N2 , The central unit ZE is connected 
via two independent network interfaces IPl and IP2 to both 
segments. During connection build-up to Z peripheral process 
P21 is authenticated by authorization service AS and authenti- 
cation data AD. If AS authorizes P21, Z accepts the connection 
request of P21 and P21 is able to access the security critical 
data SD under control of Z and S. 

Figure 3a: illustrates a network system according to claim 6 
with a closed operational subsystem Z, indirect logon via LZ, 
local authentication by LZ and triggered temporary opening of 
the closed operational system Z. 

Figure 3b: illustrates the sequence of messages during connec- 
tion build-up in the network system shown in figure 3a. 

Figure 4a: illustrates a network system according to claim 9 
with a closed operational subsystem Z, indirect logon via LZ, 
remote authentication by AS and triggered temporary opening of 
the closed operational system Z. 

Figure 4b: in addition to figure 4a the logon subsystem LZ and 
the operational subsystem Z are running independently on sepa- 
rate units. The physical address of Z is either known by P21 
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in advance or transmitted during connection build-up via the 
logon subsystem. 

Figure 4c : illustrates the sequence of messages during connec- 
tion build-up in the network system shown in figures 4a and 



Figure 5a: illustrates a network system according to claim 22 
wherein service S maintains two independent connections to 
subsystems Z and AZ . On the connection to AZ S provides proto- 
col AP and on the connection to Z protocol PP. 

Figure 5b: illustrates the sequence of messages during connec- 
tion build-up and for an authorized administrative transaction 
initiated by A in the network system shown in figure 5a. 

Detailed Description of this Invention 

Prior art networks reach the ouject of this invention by 
physically separated networks, which are protected with fire- 
walls or proxy- server against each other. Traditional fire- 
walls only check the connection build-up between client and 
server running in physically separated networks and do not of- 
fer the possibility to monitor and authorize individual trans- 
actions on the logical level. Proxy servers offer this possi- 
bility but execute after a positive authorization check as 
clients temporary transactions to secondary (protected) serv- 
ers. Both solutions have the disadvantage that security criti- 
cal data is stored on units executing at least one server pro- 
cess which always has to provide at least one open connection 
endpoint . 

The present patent solves the stated problem by a network sys- 
tem according to claim 1, such that units storing security 
critical information - called security critical units - do not 
execute any server processes and 

1. the security critical service - implemented as client - es- 
tablishes at least one standing connection to one central 
process - implemented as server or 

2. the security critical service - implemented as server - ac- 
cepts only predefined standing logical connections from at 
least one central process - implemented as client - and af- 
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ter the establishment of this(ese) connection (s) does not 
provide any open connection endpoints, such that no further 
connections to the security critical service can be estab- 
lished . 

Since no additional connections can be established to the se- 
curity critical unit a direct access of the security critical 
unit bypassing the network system is technically impossible. 
The security critical information can be accessed in the net- 
work only via nhe predefined connections, at least one central 
process and at least one security critical service. 

In a network system according to claim 2 at least one periph- 
eral process is able to communicate indirectly via the central 
process with at least one service out of a group of services 
identified with a unique identification. 

Figure 1 illustrates an incarnation of a network system ac- 
cording to claims 1 or 2 consisting of a central unit ZE con- 
nected via a network interface with address IP and the physi- 
cal connections PCll, PC12, PC21 and PC22 with units SE, PEll, 
PE21 and PE22. 

Unit ZE executes a central process Z accepting connections 
from processes running on SE, PEll, PE21 and PE22 . Unit SE 
stores security critical data SD which should be accessible 
from authorized network components. SE executes for this pur- 
pose a security critical process S maintaining a standing 
logical connection to process Z on ZE . Once this connection 
has been established S does not provide any open connection 
endpoints, does not accept further connection requests and 
does no establish further connections. Except S no other 
threads are running on SE, which establish, accept or maintain 
logical connections. The standing connection between S and Z 
is the only logical connection to SE such that security criti- 
cal data SD can only be accessed via this connection con- 
trolled by S and Z. 

Each peripheral process P12, P215cP22 establishes a standing 
logical connection to Z and has the possibility to communicate 
via Z with S. Z only forwards authorized requests from a pe- 
ripheral process to S and authorized replies from S to a pe- 




ripheral process. S determines the functionality of the access 
of the security critical data SD . 

A network according claim 3 is additionally divided into two 
physical segments, where messages between the two segments are 
not routed, where the unit storing the security critical data 
- called security critical unit - as part of one segment can- 
not be reached by units of the other segment - called uncriti- 
cal segment and where a central process controls the traf- 
fic between the security critical and the uncritical seg- 
ment (s) . This solution offers threefold protection of the se- 
curity critical data: 

1. an attack of the security critical data bypassing the cen- 
tral process and the security critical service is techni- 
cally impossible, because the communication to the security 
critical unit is only possible via th^ pre-established con- 
nections and no thread on the security critical unit pro- 
vides an open connection endpoint for an ill -minded at- 
tacker , 

2 . the direct access of the security critical unit is further 

impossible for all threads running in uncritical segments, 
since messages between the security critical segment and the 
uncritical segments are not routed, and 

3 . messages within the security critical segment cannot be 

"sniffed" by ill-minded attacker (s) in uncritical segments, 
because they are not transmitted through any uncritical seg- 
ment . 

Figure 2a illustrates an incarnation of a network according to 
claim 3 comprising two separated network segments Nl (security 
critical) and N2 (uncritical) . No units of segment Nl can es- 
tablish direct connections to units of segment N2 , because no 
messages are routed between Nl and N2 . Unit ZE is connected to 
segment Nl via a network interface with address IPX and to 
segment N2 via another network interface with address IP2 . 

Units SE&PEll in Nl are connected via the physical connection 
PCll/12 with network interface IPl of unit ZE. Units PE21&PE22 
in N2 are connected via the physical connection PC21/22 with 
network interface IP2 of unit ZE. 
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Unit ZE executes process Z which can accept connection re- 
quests via IPX and IP2 from processes running in Nl or N2 . 
Unit SE stores security critical data SD, which should be pro- 
vided to authorized clients within the complete network (i.e. 
Nl 5c N2) . For this purpose SE executes process S - called se- 
curity critical service - maintaining a standing logical con- 
nection via physical connection PCll and network interface IPl 
to process Z on ZE . On top of this connection S does neither 
provide open connection endpoints, nor accepts incoming con- 
nection requescs nor establishes other logical connections. 
Unit SE executes no other processes or threads except S, which 
establish or naintain logical connections or accept incoming 
connection requests. The connection between S and Z is the 
only logical connection to SE, forcing any access of data SD 
to be performed via this connection (under the control of S 
anu Z) . 

Peripheral processes P12, P21 and P22 establish via physical 
connections PC12, PC21 and PC22 and network interfaces IPl and 
IP2 standing logical connections to Z and have the possibility 
to communicate via Z with S. Z determines which messages from 
P12, P21 or P22 are authorized to be forwarded to S and which 
messages of S are authorized to be forwarded to P12, P21 or 
P22 . S determines the functionality and kind of access of the 
protected data SD . 

In network systems according to claims 4 and 5 a peripheral 
thread has to transmit additional authentication data, like 
its identity and password, after a successful connection to Z 
has been established, such that either the central process it- 
self (claim 4) or an independent authorization service (claim 
5) can check the access rights of the peripheral thread. In 
case of a negative result of this authorization check the cen- 
tral process cerminates the connection to the peripheral 
thread. In a network system according to claim 5 it is very 
advantageous tc prohibit any other logical connections to unit 
AE except the connection between AS and Z. In this case the 
authorization data AD is protected in the same way as the se- 
curity critical data SD and can be reached only via Z and AS. 



Figure 2b shows an incarnation of a network system according 
to claim 5 comprising two separated networks Nl (security 
critical) and N2 (uncritical) . Messages between Nl and N2 are 
not routed to prohibit any direct connections between units in 
Nl to units in N2 . Unit ZE is connected to segment Nl via a 
network interface with address IPl and to segment N2 via an- 
other network interface with address IP2 . Units SE&AE in Nl 
are connected via the physical connection PCll/12 with network 
interface IPl of unit ZE . Units PE21&:PE22 in N2 are connected 
via the physical connection PC21/22 with network interface IP2 
of unit ZE . 

Unit AE stores authorization data AD and executes authoriza- 
tion thread AS, which maintains a standing logical connection 
to Z. No further connections are established, maintained or 
accepted by threads on AE, such that authorization data AD can 
only be accessed via Z and AS. 

After connecting to Z P21 transmits his access data to Z (1) . 
Z forwards the access data to AS (2), AS checks the access 
rights using the authorization data and sends the result to Z 
(3). In case of a positive (negative) result Z accepts (termi- 
nates) the connection of the peripheral thread. 

For peripheral processes in uncritical segments - called un- 
critical clients - the open connection endpoints of the cen- 
tral process Z are the only targets of a potential attack. 
Networks according to claims 1 to 5 have the disadvantage that 
all uncritical clients have direct access to a central process 
connected to a security critical service without prior authen- 
tication and authorization (claim 1) or that the central proc- 
ess is loaded with the authentication and authorization 
(claims 4 and 5) . Secondly, a denial-of -service attack of the 
open connection endpoints of the central process can dramati- 
cally affect che performance of the system since the central 
process needs to spend a large portion of its time to defend 
itself against unauthorized attackers. 

The disadvantages of a network system according to one of the 
claims 1 to 5 can be eliminated by a network system according 
to claim 6, in which 




1. a separate logon process LZ running on the same or another 
unit as central process Z always provides at least one open 
connection endpoint to which any peripheral thread can con- 
nect, and 

2. the central process Z provides open connection endpoints for 
authorized clients only after reception of a trigger from 
the logon process and only for a predefined time interval. 

Figure 3a) illustrates an incarnation of a network system ac- 
cording to claim 6 comprising two separated networks Nl (secu- 
rity critical) and N2 (uncritical) . Messages between Nl and N2 
are not routed to prohibit any direct connections between 
units in Nl to units in N2 . Unit ZE is connected to segment Nl 
via a network interface with address IPl and to segment N2 via 
another network interface with address IP2 . Unit SE in Nl is 
connected ^''ia the physical connection PCll with- r.ctwork inter- 
face IPl of unit ZE. Unit PE21 in N2 is connected via the 
physical connection PC21 with network interface IP2 of unit 
ZE. 

Unit ZE executes two processes Z and LZ, which both can accept 
via IPl and I?2 connections from processes running in Nl and 
N2 . LZ always provides at least one open connection endpoint 
identified by a fix local identification. The local identifi- 
cation of the connection endpoints of LZ and the network in- 
terface address IPl or IP2 are known by all peripheral proc- 
esses in Nl or N2 , such that the peripheral processes can con- 
nect anytime to LZ . 

During normal operation Z maintains only standing connections 
to LZ, S and already connected peripheral processes and does 
not provide any open connection endpoints. Peripheral proc- 
esses from Nl or N2 cannot directly connect to Z, because Z 
does not provide any open connection endpoint and because the 
peripheral processes do not know the local identification of a 
potential connection endpoint of Z. 

The connection build-up of a peripheral process P21 to Z fol- 
lows the logical scheme illustrated in figure 3a) and the 
timeline shown in figure 3b) . Initially P21 only knows the 
physical identification of network interface IP2 and the local 
identification of the connection endpoint of LZ. This informa- 




tion is enough for P21 to connect to LZ and to send its 
authentication information to LZ (1) . LZ checks the access 
rights of the particular peripheral process against the 
authorization data AD and in case of a positive result trig- 
gers Z to provide a new connection endpoint (2) . Z opens a new 
connection endpoint and sends the local identification of the 
new connection endpoint back to LZ (3) . LZ forwards the local 
identification to P21 (4) . With the knowledge of the address 
of the network interface IP2 and the local identification P21 
is able to connect to the newly opened connection endpoint of 
Z (5) and the connection between P21 and Z is established, if 
Z accepts the connection request (6) . If Z denies the connec- 
tion request or if P21 does not connect within a predefined 
time interval after Z opened the new connection endpoint, Z 
closes the connection endpoint and the system returns to its 
initial state, where no direct connections to Z can be estab- 
lished . 

The advantage of a network system according to claim 6 is that 
the target of a potential attack is reduced to the absolute 
minimum still allowing general connectivity at any time. To 
bypass the logon process a potential attacker has to connect 
to the temporarily opened connection endpoint before the 
authorized peripheral process connects. 

Claim 7 describes a special case of claim 6, where the connec- 
tion between the logon process LZ and the central process Z is 
realized by a direct standing logical connection. This guaran- 
tees that no ccher process can connect to the central process 
Z as logon process. 

In a network system according to claim 8 a logon process per- 
forms additional authorization checks of peripheral processes 
independent of the central process and triggers the central 
process to open a new connection endpoint only if the periph- 
eral process has been authenticated and authorized. This tech- 
nique releases the burden of authentication and authorization 
tasks from the central process. Nevertheless, the authoriza- 
tion data AD needs to be stored on each central unit which 
executes a logon process. Since authorization data is itself 




security critical, it is advantageous to protect the authori- 
zation data according to the same principles as claims 1 to 7 . 

In a network system according to claim 9 the authorization 
data is stored on a separate unit AE in the critical segment 
Nl . AE executes authorization service AS maintaining a stand- 
ing logical connection to the logon process LZ and the central 
process Z. On top of the connections to LZ and Z, AS does not 
open or accept further connections to or from any other proc- 
ess. The authorization data is completely located inside the 
critical segment Nl and cannot be reached from uncritical seg- 
ments. In addition, in a system with several logon processes 
AS could maintain standing connections to each of them, such 
that all logon processes can access the same authorization 
data without the need of data replication. 

Figure 4a) illustrates an incarnation of a network s>^tem ac- 
cording to claim 9 comprising two separated network segments 
Nl and N2 . No units of segment Nl can establish direct connec- 
tions to units of segment N2 , because no messages are routed 
between Nl and N2 . Unit ZE is connected to segment Nl via a 
network interface with address IPl and to segment- N2 via an- 
other network interface with address IP2 . Units AE&SE in Nl 
are connected via the physical connections PC11&:PC12 with net- 
work interface IPl of unit ZE . Units PE21 in N2 is connected 
via the physical connection PC21 with network interface IP2 of 
unit ZE. 

Unit ZE executes two processes Z and LZ, which can accept via 
IPl resp. IP2 connections from processes running in Nl resp. 
N2 . LZ maintains a standing connection to authorization serv- 
ice AS on AE and always provides at least one open connection 
endpoint identified by a fix local identification. The local 
identification of the connection endpoints of LZ and the ad- 
dress IPl resp. IP2 of the network interface of ZE are known 
by all peripheral processes in Nl resp. N2 . The peripheral 
processes are able to open a connection to LZ anytime. 

During normal operation Z maintains only standing connections 
to AS, S and already connected peripheral processes and does 
not provide any open connection endpoints. Peripheral proc- 
esses from Nl or N2 cannot directly connect to Z, because Z 



does not provide any open connection endpoint and because the 
peripheral processes do not know the local identification of a 
potential connection endpoint of Z. 

Unit AE stores authorization data AD and executes authoriza- 
tion thread AS, which maintains a standing logical connections 
to Z and LZ . No further connections are established, main- 
tained or accepted by threads on AE, such that authorization 
data AD can only be accessed via Z and AS. 

The connection build-up of a peripheral process P21 to Z fol- 
lows the logical scheme illustrated in figure 4a) and the 
timeline shown in figure 4c) . Initially P21 only knows the 
physical identification of network interface IP2 and the local 
identification of the open connection endpoint of LZ . This in- 
formation is enough for P21 to connect to LZ and to send its 
authentication data to LZ (1). LZ forwards the authentir'=> tion 
data to AS (2), AS checks the access rights of the particular 
peripheral process against the authorization data AD and, in 
case of a positive result, triggers Z to provide a new connec- 
tion endpoint (3) . Z opens a new connection endpoint and sends 
the local identification of the new connection endpoint back 
to AS (4) . AS forwards the local identification via LZ to P21 
{58c6) . With the knowledge of the address of the network inter- 
face IP2 and uhe local identification P21 is able to connect 
to the newly opened connection endpoint of Z (7) and the con- 
nection between P21 and Z is established, if Z accepts the 
connection request (8) . If Z denies the connection request or 
if P21 does not connect within a predefined time interval af- 
ter Z opened the new connection endpoint, Z closes the connec- 
tion endpoint and the system returns to its initial state, 
where no direct connections to Z can be established. 

Figure 4b shows the same logical network system as figure 4a 
with the exception that the logon process LZ and central proc- 
ess Z are running on two different units LZE and ZE, which 
both are connected via network interfaces LIPl resp. LIP2 and 
IPl resp. IP2 with segments Nl resp. N2 . 

In this case a peripheral process from Nl resp. N2 only needs 
the knowledge of the physical address of network interface 
LIPl resp. LIP2 and the local identification of the open con- 




nection endpoint of LZ to build up a connection to Z . The 
physical address IP2 of the network interface of central unit 
ZE executing Z, which temporarily opens a new connection end- 
point, will be transmitted together with the local identifica- 
tion of the new connection endpoint to the authenticated pe- 
ripheral process. Knowing IP2 and the local identification of 
the new connection endpoint provided by Z the authenticated 
peripheral processes is able to build-up a logical connection 
to Z. 

Since LZ and Z are running on different units the communica- 
tion between LZ and Z needs to be physically transmitted be- 
tween the corresponding units. This can be accomplished by a 
separate direct physical connection between units LZE and ZE 
or via segments Nl or N2 . 

It is important that the communication between LZ and Z is not 
routed via the uncritical segment N2 (i.e. network interfaces 
LIP2 and IP2), otherwise the communication between LZ and Z 
could be "sniffed" in N2 , 

In networks according to claims 6 to 9 the peripheral proc- 
esses/threads know the physical address of at least one net- 
work interface of at least one central process providing an 
open connection endpoint as well as the local identification 
of said connection endpoint. The physical address, e. g. the 
central unit itself, as well as the local identification of 
the connection endpoint can be static or chosen dynamically by 
the system. The dynamic choice of the central process or the 
dynamic generation of the local identification of the tempo- 
rarily opened connection endpoints has the advantage that po- 
tential attackers do not know the connection parameters in ad- 
vance and have to determine them in real-time for example by 
"port scanning". Since a "port scan" takes some time, the time 
interval during which the central process opens a new connec- 
tion endpoint can be chosen short enough, so that the central 
process will close unused open connection endpoints in most 
cases before their detection by an attacker. Authorized pe- 
ripheral threads with the knowledge of the correct connection 
parameters normally connect without time delay. 
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It is advantageous, if the physical address of the central 
unit of a central process providing an open connection end- 
point or the local identification of the connection endpoint 
are not known to a peripheral thread prior to its authentica- 
tion by the logon process (claims 10 and 16) . After a positive 
authentication one of the parameters can be dynamically chosen 
by either the logon process (claims 11 and 17) , the central 
process providing the newly opened connection endpoint (claims 
12 and 18) or the authorization service (claims 13 and 19), 
and transmitted via the logon process to the peripheral proc- 
ess during connection build-up. 

Of particular advantage is the random or pseudo-random choice 
of the central unit (claim 20) or the random or pseudo- random 
generation of the local identification of the new connection 
endpoint (claim 14) to avoid that potential attackers can 
guess or calculate the parameters of an opened connection end- 
point. An additional encryption of the connection parameters 
during transmission to the peripheral thread also prohibits 
"sniffing" (claims 15 and 21) . 

In addition to the dynamic generation of the local identifica- 
tion of a new connection endpoint and the dynamic choice of 
the central process, it is of further advantage to generate 
and to transmit to the peripheral thread further dynamical ac- 
cess parameters - like random one time keys - by the logon 
process, the authorization service or the central process. 
These further access parameters have to be presented by the 
peripheral thread as proof of authentication during connection 
build-up to the central process. With these access parameters 
the central process can verify that the correctly authenti- 
cated client nries to connect. The additional access parame- 
ters are advantageously encrypted during the transmission via 
the physical network. 

All network systems according to claims 1 to 21 have the dis- 
advantage, that the security critical service S provides on 
all its connections the same protocol. If the protocol com- 
prises only client functionality, the remote administration of 
the machine or the security critical data is impossible (even 
for system administrators) , If the protocol comprises also ad- 
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ministrative functions, all peripheral processes gain the pos- 
sibility to access those functions. This problem can partially 
be solved by additional authorization of administrative re- 
quests by the central process Z or the service S. Much better 
is of cause not to provide the possibility to access adminis- 
trative functions to normal peripheral processes at all. 

In a network system according to claim 22 the security criti- 
cal service S is able to maintain two parallel standing con- 
nections, one to the central process Z providing normal client 
functionality and the other to an administrative central proc- 
ess - reachable only within the critical network segment 
providing administrative functionality . 

The following claims characterize services, which allow during 
normal operation to switch on and off individual protocols 
(claims 23 to 25) as well as ir'^'ividual functions of individ- 
ual protocols (claims 26 to 28) , to load or release individual 
protocols (claims 29 to 31) as well as individual functions of 
individual protocols (claims 32 to 34). 

Figure 5a shows an incarnation of a network system according 
to claim 22 comprising two separated network segments Nl and 
N2 . No units of segment Nl can establish direct connections to 
units of segment N2 , because no messages are routed between Nl 
and N2 . Unit ZE is connected to segment Nl via a network in- 
terface with address IPl and to segment N2 via another network 
interface with address IP2. Units AE&SE in Nl are connected 
via the physical connections PC with network interface IPl of 
unit ZE and AZE . 

Unit ZE executes thread Z, which can accept via IPl resp. IP2 
connections of threads running in Nl resp. N2 . Z is connected 
via individual logical connections to authorization service AS 
on AE and to critical service S on SE and provides always at 
least one open connection endpoint with a fix local identifi- 
cation. The local identification of the connection endpoints 
of Z and the address IPl resp. IP2 of the network interfaces 
of ZE are known by all peripheral processes in Nl resp. N2 . 
All peripheral processes are able to connect to Z at any time. 

Unit AZE executes thread AZ , which can accept connections of 
threads running in Nl . AZ is connected via individual logical 



connections to authorization service AS on AE and to critical 
service S on SE and provides always at least one open connec- 
tion endpoint with a fix local identification. The local iden- 
tification of the connection endpoints of AZ and the physical 
address of AZE are known by administrative process A in Nl . 
All administrative processes are able to connect to AZ at any 
time . 

Unit AE stores security critical authorization data AD and 
executes authorization service AS, which maintains individual 
logical connections to AZ and Z. Those two connections are the 
only connections to or from threads on unit AE. 

Unit SE stores security critical data SD and executes security 
critical service S, which maintains individual logical connec- 
tions to AZ and Z. Those two connections are the only connec- 
tions to or from threads on unit AF On the connection to Z S 
provides the peripheral protocol PP, which allows peripheral 
process P to access security critical data via Z and S. The 
peripheral protocol PP controls which functions are available 
for peripheral process P. In addition, transactions of periph- 
eral processes with S can be authorized by Z and AS. 

On the connection to AZ S provides administrative protocol AP, 
which enables A to administer and maintain data SD via AZ . In 
addition, transactions of administrative processes with S can 
be authorized by AZ and AS. 

The access of administrative functions provided by the admin- 
istrative protocol AP is only granted to peripheral processes 
of AZ, which have to run within Nl, since units in N2 have no 
access to AZE. In addition, Z and AZ are not connected via any 
logical connection. Thus peripheral processes running in N2 
cannot contact AZ neither directly nor indirectly and never 
get access to functions of the administrative protocol AP of 
S. 

Figure 5b illustrates the timing of an authorized administra- 
tive transaction of A to S in the system shown in figure 5a. 
Messages 1-4 comprise the connection build-up of A to AZ 
authorized by AS (2&3) . 




At the begin of an administrative transaction A sends via AZ a 
request together with its identity to AS to provide a key to 
encrypt its authentication data (5&6) . AS checks the identity 
of the requester, creates and stores a new random one-time key 
and transmits this key via AZ to A (7&8). A encrypts its 
authentication data with the received one-time key and sends 
the transaction request together with its identity, the trans- 
action parameters and the encrypted authentication data to AZ 
(9) . AZ forwards the identity, the encrypted authentication 
data and the logical quality of the transaction to AS (10) . AS 
decrypts the authentication data with the stored one-time key 
and checks the correctness of the authentication data and the 
authorization of the transaction for A. Upon a positive result 
AS sends an authorization acknowledgement to AZ (11) and AZ 
forwards the transaction request to S (12). S executes the 
transaction and replies with the result via AZ to A (135cl4) . 

Many internet service provider today have the problem, that a 
single (IP-address, local port) addresses only a unique server 
process, which easily can be overloaded with a huge number of 
parallel clients. It would be better if the client load would 
be distributed onto multiple redundant server processes run- 
ning on different units. Prior art networks do not allow the 
addressing via a single IP-address and a single local port, 
because each redundant server process has its own local port 
address and/or each unit executing a redundant server process 
its own physical address. In addition, prior art client proc- 
esses are able to connect to uniquely addressed server proc- 
esses only. 

The facts, that each peripheral thread of a network system ac- 
cording to claims 10 or 16 at the beginning do not know the 
local identification of the central process (claim 10) or do 
not know the physical address of the network interface of the 
central unit (claim 16) and that said peripheral thread re- 
ceives the local identification of the central process (claim 
10) or the physical address of the network interface of the 
central unit (claim 16) during the logon process, can be used 
advantageously to distribute peripheral threads onto individ- 
ual subcentral processes. 




In a network system according to claims 3 5 or 3 6 a peripheral 
thread first connects to the logon central process and re- 
ceives the coordinates of a central process dynamically during 
the logon process. In network systems according to claims 10 
or 16 the choice of the central process can be determined by 
any criteria. Claims 35 and 36 specify special criteria for 
individual applications . 

If the choice of the central process depends on the authoriza- 
tion of the peripheral process, individual central processes 
can be dedicated for unauthorized guests, authenticated users 
and system administrators. During the logon process the pe- 
ripheral threads only receive information about the authorized 
subsystem, such that a guest user only sees the coordinates of 
a guest central process and absolutely no information about 
other central processes accessible by authorized users or sys- 
tem administrators. Each central process provides only infor- 
mation or services corresponding to the authorization of the 
respecnive clients. This technique effectively guarantees, 
that individual services are addressable only by peripheral 
threads with the required authorization and that peripheral 
threads neither see the existence of services nor are able to 
address services without the required authorization. 

For the distribution of a large number of peripheral threads 
onto multiple equivalent central processes - "load balancing" 
- the logon system chooses the destination central process ac- 
cording to the number of peripheral threads already connected 
to eligible central processes or according to the load of el- 
gible central processes or central units. Since the load of 
central process or unit is subject to huge temporal varia- 
tions, it is advantageous to average the process or system 
load over a defined time interval and to use the gliding aver- 
age of the process or system load as selection criterion. The 
load of a central unit can be measured according to different 
criteria, like the number and activity of processes, the CPU 
load, the memory usage (core memory, secondary and/or exter- 
nal media) . 

If the choice of the central process is determined by individ- 
ual features or resources required by the peripheral threads 
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itself or by the logon system for individual peripheral 
threads it is possible to select only such central processes 
which are able to provide said required features or resources . 

In such a system a peripheral thread can demand for example a 
connection to a central processes providing required informa- 
tion, services or system resources. In another example the 
logon system knows already that a particular type of periph- 
eral threads requires certain information, services or system 
resources and chooses only such central processes able to pro- 
vide the required information, services or system resources. 

To optimize the system performance the choice of the central 
process in dependence of the geographical, network resp. sys- 
tem topological locations of the communication partners or the 
quality and speed of the connection is very important. Differ- 
ent connections for example are limited bv their physical 
transmission technology to different maximum transmission 
rates. The maximum transmission rate determined the minimal 
transmission time for individual messages and therefore the 
overall system timing. If a single system uses different 
transmission techniques it is very advantageous to adapt indi- 
vidual subsystems to the particular transmission technique of 
the subsystem. This enables the logon system to select only 
such central processes optimized for the transmission technol- 
ogy used on the connection to a particular peripheral thread. 
A typical application is the system access via local area 
network (LAN) with transmission rates above 10 MBit/s on the 
one hand and on the other via modem and wide area network 
(WAN) with transmission rates in the order of 64kBit/s. In 
such an environment it is very advantageous to dedicate indi- 
vidual subsystems with their own central process for each ac- 
cess mode and to select the central process according to the 
transmission rate to a particular peripheral thread. 

In general, the maximum transmission rate of a connection be- 
tween two communication partners depends not only on the 
physical transmission technique alone. In addition, the maxi- 
mum transmission rate is limited by the geographical loca- 
tions, the network topological locations - i.e. the number of 
physical retransmissions (by routers, switches, proxies or 



firewalls etc.) - and the system topological locations - i.e. 
the number of processes via which a message has to be trans- 
mitted - of the communication partners. In many cases it is 
therefore advantageous to select the central processes accord- 
ing to the physical transmission techniques and the said geo- 
graphical, network and system topological criteria. 



